MDR
Solutions
Partners
About
Resources
A trojan installer is being distributed via the lookalike domain 7zip[.]com, while the legitimate 7-Zip project is hosted at 7-zip[.]org. The installer delivers a working 7-Zip application to avoid suspicion, but also drops a concealed malware payload that silently turns infected PCs into residential proxy nodes. The campaign surfaced after a user followed a YouTube PC-build tutorial that referenced the fake domain, later triggering a generic Microsoft Defender trojan alert. The installer was Authenticode-signed with a certificate issued to Jozeal Network Technology Co., Limited (now revoked), providing superficial trust.
CVE
Not Applicable
Targeting / Delivery Mechanism
Social engineering and domain impersonation drive installs, amplified by third-party content (tutorials) that mistakenly recommends 7zip[.]com.
Execution Technique
Alongside a modified 7zfm.exe that behaves normally, the installer drops Uphero.exe (loader/service manager), hero.exe (Go proxy payload), and hero.dll into C:\Windows\SysWOW64\hero. The malware registers auto-start Windows services running as SYSTEM and uses netsh to remove/replace firewall rules with allow rules for its binaries. It profiles the host via WMI/Windows APIs and communicates over TLS-encrypted HTTPS, often Cloudflare-fronted, using DNS-over-HTTPS to Google’s resolver to reduce DNS visibility.
Persistence / Deployment
SYSTEM services ensure execution on reboot and stable proxy operation. Related “up*” binaries suggest a broader proxyware operation with shared infrastructure.
Operational Impact
Any system that executed installers from 7zip[.]com should be treated as compromised. This malware establishes SYSTEM-level persistence, modifies firewall policy, and enrolls the host into a residential proxy network, allowing third parties to route traffic through the victim IP. That creates real-world risk beyond “it’s just malware”: fraud and abuse traffic may be attributed to the victim network, monitoring becomes noisier, and incident response gets harder because traffic is encrypted, Cloudflare-fronted, and DNS queries may be hidden by DNS-over-HTTPS. The campaign’s bundling of legitimate 7-Zip functionality increases dwell time because users see expected behavior. Even if the payload’s primary purpose is proxyware rather than direct data theft, the combination of privileged persistence and rule manipulation raises the risk of follow-on compromise, reuse of the foothold, and prolonged misuse of corporate or home connectivity.
Validate Integrity
Hunt for C:\Windows\SysWOW64\hero\Uphero.exe, hero.exe, hero.dll; Windows services pointing to that path; firewall rules named hero/Uphero; mutex Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7; and outbound traffic to iplogger[.]org and hero/smshero domains.
Respond to Confirmed Compromise
Isolate the host, remove malicious services/binaries, revert firewall changes, run AV/EDR cleanup, and reimage if integrity is uncertain. Review egress logs for proxy-like patterns from the device.
Strengthen Preventative Controls
Enforce approved download sources, block known domains, monitor for new SYSTEM services and firewall rule edits, and restrict admin elevation for installers.
References
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
https://www.bleepingcomputer.com/news/security/malicious-7-zip-site-distributes-installer-laced-with-proxy-tool/amp/
https://blog.lukeacha.com/2026/01/beware-of-fake-7zip-installer-upstage.html
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)